AxmlParser.c:121 in GetInt32 方法存在一个OOB-READ缺陷

[Dabiaoge6]

我的测试单元为： #include "AxmlParser.h" #include "AxmlModify.h" #include "options.h" /Global vars. Used for AxmlModify/ uint32_t g_styleDataOff = 0x0; uint32_t g_appTag_nameOff = 0x0; uint32_t g_curStringCount = 0x0; uint32_t g_appURIindex = 0x0; uint32_t g_res_ChunkSizeOffset = 0x0; int mian() { struct options_t *g_opts; FILE *fp; char *inbuf; size_t insize; char *outbuf; size_t outsize; int ret; const char *target_filename; target_filename = "fuzzing-7300437709702113099"; fp = fopen(target_filename, "rb"); if (fp == NULL) { fprintf(stderr, "Error: open input file failed.\n"); } fseek(fp, 0, SEEK_END); insize = ftell(fp); fseek(fp, 0, SEEK_SET); inbuf = (char *)malloc(insize * sizeof(char)); if (inbuf == NULL) { fprintf(stderr, "Error: init file buffer.\n"); fclose(fp); } else { ret = fread(inbuf, 1, insize, fp); if (ret != insize) { fprintf(stderr, "Error: read file.\n"); free(inbuf); fclose(fp); } else { ret = AxmlToXml(&outbuf, &outsize, inbuf, insize); if (ret < 0) { fprintf(stderr, "Error: parse file.\n"); } else { if (g_opts->parserXml) { printf("%s", outbuf); return 0; } if (g_opts->modifyXml) { ret = axmlModify(inbuf, insize, g_opts->output_file); if (ret < 0) { fprintf(stderr, "Error: modify file.\n"); } } free(outbuf); free(inbuf); fclose(fp); return ret; } } // 无论是读取还是修改xml都需要先分析目标xml } }

———————————————————————————————————————— 其中fuzzing-7300437709702113099文件输入内容说明： Len is = | 3 Hexvalue = | "\x23\x40\x5c" Stringvalue = | "#@"

———————————————————————————————————————— 缺陷日志为： ==539977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000036f2 at pc 0x55c9152cf856 bp 0x7ffe86306720 sp 0x7ffe86306710 READ of size 1 at 0x6020000036f2 thread T0 #0 0x55c9152cf855 in GetInt32 /home/tj/digcve/ManifestAmbiguity/AxmlParser.c:121 #1 0x55c9152cfb39 in ParseHeadChunk /home/tj/digcve/ManifestAmbiguity/AxmlParser.c:153 #2 0x55c9152d0c6e in AxmlOpen /home/tj/digcve/ManifestAmbiguity/AxmlParser.c:328 #3 0x55c9152d46fe in AxmlToXml /home/tj/digcve/ManifestAmbiguity/AxmlParser.c:907 #4 0x55c9152ce6b3 in easyloop /home/tj/digcve/ManifestAmbiguity/test2.c:50 0x6020000036f2 is located 0 bytes to the right of 2-byte region [0x6020000036f0,0x6020000036f2) allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tj/digcve/ManifestAmbiguity/AxmlParser.c:121 in GetInt32 Shadow bytes around the buggy address: 0x0c047fff8680: fa fa fd fd fa fa 00 03 fa fa fd fd fa fa 00 04 0x0c047fff8690: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 06 0x0c047fff86a0: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 04 0x0c047fff86b0: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 04 0x0c047fff86c0: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 04 =>0x0c047fff86d0: fa fa fd fd fa fa 00 04 fa fa 02 fa fa fa[02]fa 0x0c047fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff86f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc